Despite Google’s best efforts, malware peddlers occasionally manage to get their malicious wares on Google Play. The latest example of this unfortunate reality is an app called Black Jack Free (com.bjack.free).
According to Lookout researchers, the app was possibly downloaded by as many as 5,000 users until Google yanked it from the store four days after it initially appeared.
Ostensibly a free gambling app with clean, pleasing graphics, the app also contained a variant of the Acecard malware family.
The malware’s main goal is to steal users’ personal and banking information, and login credentials to a number of popular online services and social networks (Skype, Facebook, PayPal, Google Play, etc.), and it does so by springing fake pop-up windows containing forms that that users are urged to fill:
But, Acecard is also capable of intercepting and sending SMS messages, forwarding phone calls, locking the device screen, and wiping all user data from the device.
Finally, it attempts to download another app named Play Store Update (cosmetiq.fl). The researchers don’t say what it does, but you can bet anything on the fact that it’s not what it says it is, and that it’s not good news for users.
Users who have had the misfortune to download the Black Jack Free app are advised to remove it and the cosmetiq.fl app, and to immediately proceed to change passwords on their online accounts that might have been compromised.
This is not the first time that Acecard has managed to bypass Google Play security.
Kaspersky Lab researchers consider this malware to be one of the most dangerous threats to users today, due to its capabilities and the fact that it’s being widely distributed via other malware, official apps stores, etc.